A critical vulnerability coded into the Electrum wallet since 2015 has gone undiscovered until now. Users on wallet versions older than 3.0.5 are susceptible to having funds stolen and are recommended to upgrade immediately.

Electrum is one of bitcoin's longest-standing wallets, having been used heavily in the space since its inception in 2011. However, it has only recently been revealed to have a long undiscovered vulnerability, which was only fully patched yesterday, on January 8th. The vulnerability allows for remote access to a user's funds by having an un-encrypted wallet open in the background while browsing the internet. All userswith outdated wallets are still vulnerable to the exploit and are highly recommended to upgrade to version 3.0.5 as soon as possible. The original summary of the issue can be read here.

Play-by-play

The issue was first pointed out on November 25th, 2017 on the Electrum repo by jsmad. The full extent of the vulnerability was not fully understood by the poster, nor the Electrum devs, and it was added to the non-critical backlog:

Screenshot captured from the Electrum repository at ~12 PM GMT, January 9th.

Only recently was the potential of the exploit fully realized by taviso, who stated "I installed Electrum to look, and I'm confused why this isn't being treated as a critical and urgent vulnerability?" along with a complete explanation. He posted this on Saturday, January 6th, approximately a month and a half after the issue was first disclosed:

Screenshot captured from the Electrum repository at ~12 PM GMT, January 9th.

It was confirmed by Electrum dev ecdsa that the exploitable code had been around, undiscovered, since a commit on November 30th, 2015, over two years ago:

Once the extent of the exploit was revealed, a hotfix was released with Electrum version 3.0.4. But, open source contributors promptly revealed the quick patch to be insufficient:

Screenshot captured from the Electrum repository at ~12 PM GMT, January 9th.

Finally, the dev team followed up with Electrum 3.0.5 which has fixed the bug in its entirety.

Outdated wallets still vulnerable

This reveals a key issue still withstanding with the Electrum client: outdated and exposed wallets will not auto-update to the new, secure version of the client. Users who regularly scour social media would have promptly downloaded the upgrade manually, but the majority that haven't will stillbe using outdated and vulnerable versions of the Electrum wallet none-the-wiser. Furthermore, with the exploit fully publicized, there are certainly now scores of bad actors intent on exploiting the vulnerability to those very wallets that have yet to be updated.

Crypto Insider emphasizes that users who are still operating outdated versions upgrade to the latest version via the Electrum download page immediately.